ClawHub
Back to skill
v1.0.0

Outsmart LP Farming

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:59 AM.

Analysis

This skill is purpose-aligned for Solana LP farming, but it should be reviewed carefully because it uses a wallet private key and an external CLI to perform mainnet DeFi transactions.

GuidanceInstall only if you are comfortable giving the `outsmart` CLI access to a Solana wallet private key. Use a small, dedicated hot wallet, verify the package source and version, simulate or quote before every transaction, and require explicit confirmation before adding/removing liquidity or creating pools.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
outsmart add-liq ... --sol 0.5 ...; outsmart create-pool ... --max-fee 9900 ...; outsmart remove-liq ... --pct 100

The documented workflow includes state-changing DeFi operations, including adding liquidity, creating a pool with a 99% starting fee, and removing 100% of a position, without explicit approval or simulation requirements.

User impactAn incorrectly selected pool, token, amount, or range could cause irreversible financial loss or unwanted public on-chain activity.
RecommendationRequire explicit user confirmation for every transaction, quote/simulate before signing, set maximum spend limits, and review pool/token addresses manually.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
metadata
Source: unknown ... Install specifications: node | package: outsmart | creates binaries: outsmart ... No code files present

The executable behavior comes from an external npm package that is not included in the reviewed artifacts, while the skill also requires a private key.

User impactThe user must trust the installed package with wallet-signing authority even though its code was not available in this artifact review.
RecommendationVerify the npm package and GitHub repository, pin a known version, review/audit the CLI source, and avoid exposing valuable keys until provenance is trusted.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
"requires": { "bins": ["outsmart"], "env": ["PRIVATE_KEY", "MAINNET_ENDPOINT"] }

The skill requires a Solana wallet private key and a mainnet endpoint, which is direct authority to sign transactions against real funds.

User impactIf the key belongs to a funded wallet, mistakes or unsafe CLI behavior could spend, lock, or expose assets.
RecommendationUse only a separate hot wallet with limited funds, never a main wallet; verify every transaction before signing and rotate/remove the private key after use.